Method for the encryption of data transfer

ABSTRACT

The object of the invention is a method for the encryption of information transferred between data transfer devices (MS, SGSN) in a data communication system wherein one or more data frames are created from one or more data packets formed from the information by the application. The data frames comprise at least a header field and a data field. In the method, at least some part of the data packets is ciphered by using a ciphering key (Kc). To the data frames, synchronization data (COUNT) is attached, the value of which is changed at least at the transmission of each data frame.

BACKGROUND OF THE INVENTION

The present invention relates to a method for the encryption ofinformation being transferred between data communication devices in adata communication system wherein one or more data frames are formedfrom one or more data packets formed from the infomation by anapplication, and these data frames comprise at least a header field anda data field. The invention relates additionally to a data communicationsystem which comprises the means for the encryption of information beingtransferred between data transfer devices, the means for forming one ormore data packets from the information and the means for forming dataframes from the data packets.

Data transfer between separate data transfer devices can be achieved insuch a way that those data transfer devices between which data at thattime is to be transferred, are linked together for the time needed forthe data transfer. In such a case, the link is maintained until the userstops the data transfer. In such cases, most part of the linkage time isspent in entering commands provided by the user and only a small part ofthe time is actual data transfer. This limits, for example, the maximumnumber of simultaneous users. Another possibility is to exploit aso-called packet switched data transmission. In this case, data istransferred between data transfer devices in a packet mode, in whichcase the time between the packets is freely available and can be used byother data transfer devices. In this case, the number of simultaneoususers can be increased, especially in wireless data transfer networks,such as cellular networks, since in this case the mobile stations whichare in the same cellular area can use the same transfer channel. Onesuch a cellular system is the GSM system (Group Special Mobile) forwhich a packet mode data transfer service GPRS (General Packet RadioService) has been developed. FIG. 1 shows a block diagram of principalblocks in the operation of the GPRS system. A packet switchingcontroller SGSN (Serving GPRS Support Node) controls the operation ofpacket switching service on the cellular network side. The packetswitching controller SGSN controls the sign-on and sign-off of themobile station MS, the updating of the location of the mobile station MSand the routing of data packets to their correct destinations. Themobile station MS is connected to the base station subsystem BSS througha radio interface Um (FIG. 1). The base station subsystem is connectedto the packet switching controller SGSN through the BSS-SGSN interfaceGb. In the base station subsystem BSS, the base station BTS and the basestation controller BSC have been connected to each other by a BTS-BSCinterface Abis. The location of the packet switching controller SGSN inthe mobile station network can vary, for example, according to whichtechnical implementation is being used. Although in FIG. 1, the packetswitching controller SGSN has been marked outside the base stationsubsystem BSS, the packet switching controller SGSN can be placed, forexample, as a part of the base station BTS connected to the base stationsubsystem BSS or as a part of the base station controller BSC.

The GPRS system has been described, for example, in draft proposals GSM01.60, GSM 02.60, GSM 03.60 and GSM 04.60 which have been dated prior tothe application date of the present invention.

The operation of both the mobile station MS and the packet switchingcontroller SGSN can be divided into various layers, each providing adifferent function, as has been shown in FIG. 2. The InternationalStandardisation Organisation, ISO, has formulated an OSI model (OpenSystems Interconnection) for grouping data transfer into differentfunctional layers. In this model, there are seven layers which are notnecessarily needed in all data communication systems.

Transferable information, such as control signalling and datatransmitted by the user, between a mobile station MS and a packetswitching controller SGSN is exchanged preferably in a data frame mode.The data frame of each layer consists of a header field and a datafield. FIG. 2 shows also the structure of data frames being used in theGPRS system in different layers.

The information contained in the data field can be, for example, dataentered by the user of the mobile station or signalling data. The datafield may contain confidential information which has to be secured asreliably as possible before transmitting it to the radio path. In such acase, the encryption has to be executed in such a way that in allsimultaneous connections between the packet switching controller SGSNand mobile stations MS connected to it, a separate encryption key isused. Conversely, it is not preferable to cipher the address data of thedata frame by the same encryption key used in the ciphering of the datafield, since mobile stations MS use a shared radio path resource, i.e.information in many different connections is transferred in the samechannel, for example, at different time intervals. In this case, eachmobile station should receive all messages transmitted in the channelconcerned and decrypt at least the encryption of the address data toidentify to which mobile station the message is intended. Also thepacket switching controller SGSN does not know which encryption keyshould be used.

In the following, the operational functions of the layers of the GPRSsystem have been presented.

The lowest layer is called an MAC layer (Media Access Control) whichcontrols the use of the radio path in the communication between themobile station MS and the base station subsystem BSS, such as allocatingchannels for transmitting and receiving packets.

Data transmission between the base station subsystem and the packetcontroller SGSN in the lowest level is executed at the L2 layer (linklayer) in which link layer protocol is used, such as LAPD protocolaccording to standard Q.921, frame relay protocol or the equivalent. TheL2 layer may additionally contain also quality or routing data accordingto GPRS specifications. Layer L2 has properties of the physical layerand the link layer of the OSI model. The physical transmission linebetween the base station subsystem BSS and the packet controller SGSNdepends, for example, on where the packet controller SGSN has beenlocated in the system.

Above the MAC layer, there is an RLC layer (Radio Link Control) and itsfunction is to divide the data frames formed by the LLC layer into fixedsized packets to be transmitted to the radio path and their transmissionand retransmission when necessary. The length of the packets in the GRPSsystem is the length of one GSM time slot (approximately 0.577 ms).

LLC layer (Logical Link Control) provides a reliable transmission linkbetween the mobile station MS and the packet controller SGSN. The LLClayer, for example, adds to the transmitted message error checking databy means of which it is intended to correct those uncorrectly receivedmessages and when necessary, the message can be retransmitted.

SNDC layer (Sub-Network Dependent Convergence) comprises functions likeprotocol conversions of transmitted information, compression,segmentation and segmentation of messages coming from the upper layer.Additionally, ciphering and deciphering are accomplished at the SNDClayer. The structure of the SNDC frame has been presented also in FIG.2. The SNDC frame comprises an SNDC header field (SNDC header) and anSNDC data field (SNDC data). The SNDC header field consists of protocoldata (Network Layer Service access point Identity, NLSI) and of SNDCcontrol data, such as determinations of compression, segmentation andciphering. The SNDC layer functions as a protocol adapter betweenprotocols used at the upper level and the protocol of the LLC layer(link layer).

The transmitted information comes preferably as data packets to the SNDClayer from some application, such as messages according to the GPRSsystem or packets of the Internet protocol (IP). The application can be,for example, a data application of a mobile station, a telecopyapplication, a computer program which has a data transmission link to amobile station, etc.

The MAC layer, RLC layer, LLC layer and the L2 layer contain propertieswhich are described at layer 2 in the OSI model. The above mentionedlayers and the layers described in the OSI model are not, however,distinctly coherent.

The SNDC frame is transferred to the LLC layer where an LLC header fieldis added to the frame. The LLC header field consists of a TemporaryLogical Link Identity (TLLI) and an LLC control part. The packetcontroller GPRS establishes a TLLI identity for each data transmissionlink between a mobile station MS and a packet controller GPRS. This datais used in data transmission for defining which data transmission linkeach message belongs to. Simultaneously, the same TLLI identity can onlybe used in one data transmission link. After the termination of thelink, the TLLI identity used in the link can be allocated to a new linkto be subsequently formed. The LLC control part defines the frame numberand the command type (info, acknowledge, retransmission request etc.)for ensuring an error free data transfer.

Ciphering in the GSM system is executed at the physical layer as a bitper bit ciphering, i.e. bit stream transmitted to the radio path isformed by summing to the transmitted data ciphering bits which areformed by using algorithm A5 known per se, by using a ciphering key Kc.Algorithm A5 ciphers transmitted data and signalling information at thephysical layer on the channels dedicated to data transfer (TrafficChannel, TCH or Dedicated Control Channel, DCCH).

Synchronization of transmitted messages is ensured in such a way thatalgorithm 5 is driven by means of a special synchronization data(COUNT). The synchronization data COUNT is formed on the basis of a TDMAframe number. Then the contents of each 114-bit block formed byalgorithm A5 depend only on the frame numbering and the ciphering keyKc.

The setting of the ciphering key Kc is most preferably executed at thestage when the communication traffic of the dedicated channel has notyet been encrypted and the mobile station network being used hasidentified the mobile station MS. In the identification in the GSMsystem, an International Mobile Subscriber Identity, IMSI, is used whichidentifies the mobile station and which has been stored in the mobilestation, or a Temporary Mobile Subscriber Identity, TMSI, is used whichhas been formed on the basis of the subscriber identity. In a mobilestation, also a subscriber identification key, Ki, has been stored. Thesubscriber identification key Ki is also known by the mobile stationnetwork.

To ensure that the ciphering key Kc is known only by the mobile stationMS and the mobile station network, the transmission of the ciphering keyfrom the base station subsystem BSS to the mobile station MS isindirect. Then, in the base station subsystem BSS, a Random AccessNumber, RAND, is formed which is transmitted to the mobile station MS.The ciphering key Kc is formed from the random access number RAND andfrom the subscriber identification key Ki by using algorithm A8, as hasbeen shown in FIG. 3. The calculation and storing of the ciphering keyKc are executed both in the mobile station MS and in the mobile stationnetwork.

Data transfer between the mobile station MS and the base stationsubsystem BSS is nonciphered at the start of the connection. Thetransition to the ciphered mode proceeds preferably in such a way thatthe base station subsystem BSS transmits to the mobile station a certaincommand (unciphered) which in this context is called the "start cipher".After the mobile station MS has received the command "start cipher", itstarts the enciphering of the transmitted messages and deciphering ofthe received messages. Correspondingly, the base station subsystem BSSstarts the enciphering of messages transmitted to the mobile stationafter the base station subsystem has received the ciphered messagetransmitted by the mobile station and deciphered the cipheringcorrectly.

In the above described ciphering, the synchronization was based, forexample, on the TDMA frame numbering of the physical layer. It is notpossible to use it in all applications, particularly when informationbelonging to different connections is transmitted on the same channel,such as in packet switched data transmission methods.

In the European patent application EP-0 689 316, a method has beenpresented for the encryption of data transfer wherein, for example,encryption data which comprises an encryption key is attached to thetransmitted data frames. A U.S. Pat. No. 5,319,712 comprises a methodand equipment for the encryption of data transfer so that a sequencenumber is attached to the data frames of the link layer and the dataframe is ciphered. A disadvantage of these ciphering methods accordingto the prior art is, for example, that the receiver does not knowwithout deciphering, to whom the received data frame is intended, inwhich case the unnecessary reception of data frames and decipheringcauses a deterioration in the efficiency of the system.

SUMMARY OF THE INVENTION

The aim of the present invention is to provide a method and equipmentfor the encryption of data transfer in a data transfer system whereinthe transferred data is in a data frame mode and which data transfersystem has been divided into functional layers in which case the dataframe structure can be different in the different layers. The methodaccording to the invention is characterized in that at least some partof the data packets is ciphered by a ciphering key and thatsynchronization data is attached to the data frames and its value ischanged at least at the transmission of each data frame. The systemaccording to the invention is characterized in that the means forciphering the information comprise at least:

means for ciphering data packets with a ciphering key,

means for attaching synchronization data to the data frames,

means for changing the value of the synchronization data at thetransmission of each data frame, and

means for interpreting the synchronization data in the data transferdevice of the receiver.

Considerable advantages are achieved by the invention, compared to theciphering methods according to the prior art. In the method according tothe invention, the header field of the data frame of the physical layercan be transmitted in a non-ciphered mode, or methods which arepresently known can be used in the ciphering. In the method according tothe preferable embodiment of the invention, the ciphering key is changedfor each transmission block of the physical layer, in which casedeciphering without knowledge about the ciphering key is virtuallyimpossible. By using the method according to the invention, it ispossible additionally to implement a partial enciphering, in which caseonly a part of the transmitted data frames is ciphered. In this case,for example, advertisements can be delivered non-ciphered and otherinformation ciphered only to those who have the right to receiveciphered data frames and to decipher them.

BRIEF DESCRIPTION OF THE DRAWING

The invention is described in more detail in the following by referringto the attached drawings in which

FIG. 1 shows the logical structure of the GPRS system as a schematicblock diagram,

FIG. 2 shows the layer structure of the GPRS system and the data framestructure of the layers,

FIG. 3 shows definition of the ciphering key according to the prior artin mobile stations and in a mobile station network as a schematic blockdiagram,

FIG. 4a shows ciphering according to a preferable embodiment of theinvention,

FIG. 4b shows ciphering according to another preferable embodiment ofthe invention,

FIGS. 5a-5d show the data frame structure of the link layer according toan embodiment,

FIG. 6a shows the data frame structure of the adapting layer accordingto an embodiment with Point-to-Point connection, and

FIG. 6b shows the data frame structure of the adapting layer accordingto an embodiment with multipoint connection.

DETAILED DESCRIPTION OF THE INVENTION

In the following, the invention has been visualized by means of a packetswitching service GPRS implemented in the GSM system, but the inventionhas not, however, been limited only to this system.

In the invention, one has aimed at the implementation wherein as much aspossible of the existing ciphering technique is exploited, such as theciphering of the GSM system which is adjusted so that it can be appliedin the transmission of data frames, for example, in the GPRS system. Oneadvantage of the invention is that it can be applied in many operationalmodes, such as the Point-to-Point, PTP, connection, multipointconnection (Point-to-Multipoint-Multicast, PTM-M;Point-to-Multipoint-Group, PTM-G) etc. The ciphering methods areclassified mainly on the basis of the TLLI identity. A distinct TLLIidentity is allocated for each connection type between the mobilestation MS and the packet switching controller SGSN. The followingdifferent types are available for use in the GPRS system according topresent standards:

Point-to-Point (PTP) uses unique TLLI identity in the communicationbetween the mobile station MS and the packet switching controller SGSN.

Point-to-Multipoint-Multicast (PTM-M) uses TLLI allocated for thecommunication between the mobile station MS and the multicast serviceprovider.

Point-to-Multipoint-Group (PTM-G) uses TLLI allocated for mutualcommunication via multicast service provider of mobile stations MSwithin the mobile station group.

Point-to-Point connection typically uses the acknowledged mode at thelink layer level, i.e. the receiver of the transmission transmits dataas an acknowledgement of a correct reception. At Point-to-Multipointconnections, data frames are usually transmitted by using operation modein which acknowledgements are not transmitted.

As already has been stated earlier in this description, in systems wheredata of different connections is transmitted in the same channel, it isnot preferable to cipher the header field of data frames by a uniqueciphering key for each connection. In this case, the data, frames areciphered at least partly at some other layer than the physical layer. Inthe GPRS system, the ciphering is executed at the LLC layer. Thetransmitted data is ciphered in such a way that to each bit of the dataframe, a corresponding bit of the ciphering bit string is summed. Theciphering bit string has been formed preferably by a ciphering algorithmby using an individual and unique ciphering key Kc. The cipheringalgorithm is, for example, the A5 algorithm known from the GSM system.

In addition to the correct address, one has to ensure that the dataframes can be sequenced in the receiver. This can be implemented in amanner known per se, so that synchronization data COUNT is entered intothe ciphering algorithm, in which case the receiver is able, afterdeciphering, to find out the sequence of the data frames. For example,in TDMA systems (Time Division Multiple Access), like GSM, the TDMAframe number can be used for numbering the data frames of the physicallayer. However, the packet switching controller SGSN of the GPRS systemdoes not know the TDMA frame number, so in this invention a method hasbeen developed for synchronizing data frames, and in this method thesequence number of data frames (data frame number) is used as asynchronization data. Thus the contents of each transmitted block aredetermined by, for example, the frame numbering and the ciphering keyKc.

The amount of data to be ciphered varies in different connections, butthis is not significant in the application of the invention since theciphering can be executed by dividing the transmitted data preferablyinto sub-blocks of standard length. Then the first bit of each sub-blockis ciphered by the first bit of the ciphering algorithm, the second bitof the sub-block by the second bit of the ciphering algorithm etc. Inthe GPRS system, the length of a sub-block can be, for example, 114bits, such as in the present GSM system. The length of the sub-block canbe, preferably, also divisible by the length of a byte. In manyapplications, the length of the byte is eight, in which case a suitablelength for a sub-block could be 64 bits.

In the GSM system, a mobile station MS can use only one ciphering key Kcat a time. In the GPRS system, one ciphering key per mobile station MSis not necessarily sufficient in every situation, since the mobilestation can simultaneously have many different types of activeconnections (PTP, PTM) with each connection having most preferably aseparate ciphering key Kc which has been preferably formed by differentmeans. The ciphered data frame contains thus the ciphering key Kc beingused, the synchronization data COUNT and possibly also the values COUNTbof a block counter BLCNT attached to the TLLI. FIG. 4a shows apreferable ciphering method according to the invention as a schematicblock diagram in a situation where a non-encrypted sub-block (plain textin) is transferred encrypted (encrypted text) from the network to themobile station. In this embodiment, also the value COUNTb of the blockcounter is used in the determination of the ciphering block BLOCK 1. Theblock counter can be set to its initial value by means of a setting line"clear", preferably at the start of the data frame of each adaptinglayer. Both at the network side and in the mobile station MS, the valueof the synchronization data COUNT is calculated for each transmittedblock, with the value of the synchronization data COUNT and theciphering key Kc entered into the ciphering algorithm A5. At thetransmission side, the output bit string (BLOCK1) is summed to thesub-block (plain text in). The encrypted sub-block is transferred in thechannel to the mobile station MS. The mobile station MS deciphers itcorrespondingly by summing the output bit string (BLOCK1) of theciphering algorithm A5 to the received encrypted sub-block and, as aresult of the summing, a non-encrypted sub-block (plain text out)corresponding to the transmitted sub-block is obtained. FIG. 4b showsanother preferable ciphering method according to the invention as aschematic block diagram. This embodiment differs from the embodiment ofFIG. 4a mainly in that the block counter BLCNT is not used.

A typical length of a frame sequence number is from six to eight bits.From the ciphering security point of view, this value as COUNT variablealone is not sufficient, and therefore also other variables can be usedin the determination of the COUNT value of the synchronization data inaddition to the frame sequence number, for example, the base stationidentification. The base station identification is known by both thenetwork and the mobile station, since the mobile station, which is beingused, notifies the packet switching controller SGSN about the changingof the base station. The changing of the base station alters thus theCOUNT value of the synchronization data in this embodiment.

In the Point-to-Point connection mode, the following variables areavailable in the determination of the COUNT value of the synchronizationdata:

a) The frame number of the Logical Link Control layer (LLC frame number,LLC #) which is conveyed to the adapting layer (SNDC).

b) The data frame number of the adapting layer (SNDC data block number,SDU#) which can be attached to the transmitted data frame or initializedat the start of the connection when it is maintained at both ends of theconnection.

c) Identity of a routing area (Routing area #) which is known at bothends of the connection so that the identity need not be attached to thetransmitted data frame.

d) Identity of the area of a packet switching controller (SGSN #) whichis known at both ends of the connection so that the identity need not beattached to the transmitted data frame.

e) Identity of a base station (Cell #) which is known at both ends ofthe connection so that the identity need not be attached to thetransmitted data frame.

In Point-to-Multipoint connection mode, the following variables areavailable in the determination of the COUNT value of the synchronizationdata:

a) The data frame number of the adapting layer (SNDC data block number,SDU #) which is transmitted within the SNDC data frame.

b) Identity of a routing area (Routing area #) which is known at bothends of the connection so that the identity need not be attached to thetransmitted data frame.

c) Identity of the area of a packet switching controller (SGSN #) whichis known at both ends of the connection so that the identity need not beattached to the transmitted data frame.

d) Identity of a base station (Cell #) which is known at both ends ofthe connection so that the identity need not be attached to thetransmitted data frame.

Additionally, in both connection modes, the value of the block counterBLCNT can be used, which makes cracking of an encrypted data field evenmore difficult for an intruder, since the same ciphering bit string isnot used in the encryption of sequential data fields. Otherwise, therecalculation is executed only once for each transmission of a dataframe of the adapting layer. The length of the data frame of theadapting layer can be thousands of bits, so that it may be possible tofind out the encryption key if the encryption algorithm is notcalculated sufficiently often.

The above presented variables defining the synchronization data COUNTcan either be used alone or in combination. Some of the variables thushave to be delivered to the receiver within data frames and some of themcan be managed locally. The use of locally managed variables increasesthe level of the security and to some extent it reduces the amount oftransferred data. The following tables give an example of the contentsof the synchronization data COUNT. Table 1.1 shows some synchronizationdata according to the most preferable embodiment of the invention and init, a block counter BLCNT has been used, and table 1.2 shows anotherpreferable embodiment of the invention and in it, the identity of thebase station has been used instead of the value of the block counterCOUNTb.

                                      TABLE 1.1                                   __________________________________________________________________________    Bit/                                                                          mode                                                                             22                                                                              21                                                                              20                                                                              19                                                                              18                                                                              17                                                                              16                                                                              15                                                                              14                                                                              13                                                                              12                                                                              11                                                                              10                                                                              9 8 7 6 5       4                                                                             3                                                                             2                                                                             1                                __________________________________________________________________________    PTP                                                                              SDU # (local or delivered)                                                                    LLC # (delivered)                                                                         COUNTb                                         PTM                                                                              SDU # (delivered)                                                                             1 1 1 1 1 1 COUNTb                                         __________________________________________________________________________

                                      TABLE 1.2                                   __________________________________________________________________________    Bit/                                                                          mode                                                                             22                                                                              21                                                                              20                                                                              19                                                                              18                                                                              17                                                                              16                                                                              15                                                                              14                                                                              13                                                                              12                                                                              11                                                                              10                                                                              9 8 7 6 5       4                                                                             3                                                                             2                                                                             1                                __________________________________________________________________________    PTP                                                                              SDU # (local or delivered)                                                                    LLC # (delivered)                                                                         Cell #, Routing area # or SGSN #                                              (local)                                        PTM                                                                              SDU # (delivered)                                                                             1 1 1 1 1 1 Cell #, Routing area # or SGSN #                                              (local)                                        __________________________________________________________________________

In the following, the setting of the ciphering key Kc is described. Thesetting of the ciphering key Kc is initiated by the network as often asthe network operator finds it necessary. Additionally, a uniqueciphering key has to be generated for each TLLI connection. A table ofthe ciphering key Kc-TLLI identity pairs is most preferably maintainedboth in the packet switching controller GPRS and in the mobile stationMS. The setting of the ciphering key is different for differentconnection types.

In a Point-to-Point connection, the ciphering key Kc is transmittedindirectly by using a random access number RAND. The ciphering key Kc isformed in the GPRS system preferably from the random access number RANDand from the subscriber identification key Ki of the mobile station byusing the algorithm A8, just as in the GSM system. The identificationkey of a mobile station has been stored on the SIM card (SubscriberIdentity Module) of the mobile station and in the Authentication CentreAuC of the network.

In a multipoint connection, all mobile stations which are connected tothe same service use the same ciphering key Kc. The ciphering key Kc isactivated when the connection to the service is created. The cipheringkey Kc can be entered to the mobile station MS by using differentmethods. A multipoint service provider can enter the ciphering key, forexample, in a ciphered mode, in which case the mobile station MS has tobe logged to the packet switching controller GPRS through aPoint-to-Point connection prior to gaining access to the multipointconnection. During the logon stage of the Point-to-Point connection, aciphering key Kc has been defined for the connection and it is used inthe encryption of the ciphering key of the multipoint connection when itis transmitted to the mobile station MS.

The ciphering key of the multipoint connection can also be entered, forexample, by using the keypad of the mobile station MS, such as, forexample, a PIN code, or a kind of SIM card can be used where, amongother parameters, the ciphering key Kc has been stored.

The ciphering key Kc need not be regenerated when the mobile station MSchanges its location to the area of another packet switching controllerGPRS because the ciphering key can be delivered from the previous packetswitching controller to the new one.

The transition from clear text mode to ciphered mode proceeds preferablyin such a way that the packet switching controller GPRS transmits inclear text a special "start cipher" command. In the mobile station MS,the enciphering of the transmission and the deciphering of the receivingstart after the "start cipher" command has been correctly received bythe mobile station. On the packet switching controller GPRS side, theenciphering starts correspondingly after the packet switching controllerhas received the message transmitted by the mobile station MS anddeciphered it. The above described operation corresponds, in its mainparts, to the start of the enciphering of the GSM system.

In some packet switching applications, ciphering can be applied also insuch a way that only messages going in one direction are ciphered, i.e.messages from the mobile station MS to the packet switching controllerGPRS or from the packet switching controller GPRS to the mobile stationMS. Applications like this include, for example, delivering ofadvertisements which are usually transmitted non-ciphered.

Additionally, ciphering according to the invention can be applied alsoin such a way that only some part of the transmitted data frames of theadapting layer SNDC is ciphered. In this case, one encryption bit ismost preferably added to the data frame of the adapting layer and itwill indicate whether the data frame concerned is ciphered ornon-ciphered. For example, when the encryption bit has the value zero,the data frame is non-ciphered and when the encryption bit has the valueone, the data frame is ciphered. This can be used, for example, insituations where the access rights to a service require registration orthe equivalent, in which case the registered users can decipher theciphered data frames. For other users, the service provider can deliverinformation concerning services and advertisements in non-ciphered dataframes.

FIG. 5a shows an example of a data frame structure of a link layeraccording to a preferable embodiment. The header field of the data frame(frame header) comprises a TLLI identity of three bytes and a controlpart (Control) of two bytes. A byte comprises, as is known per se, eightbinary information (bits).

The information field of the data frame comprises the transmittedinformation. The length of the information field may vary. The dataframe also contains a check field (Check sequence) of two bytes whichincludes, for example, error correction information.

FIG. 5b shows the structure of the control part of the data frame ofFIG. 5a when the data frame is an information delivery and systemsupervisory data frame (Information+supervisory) wherein:

C/R indicates whether it is a question of a command or a response(Command/Response),

S1 and S2 describe the type of the supervisory command,

N(S) is the number of the sending sequence (Send sequence number),

P/F indicates whether it is a question of a confirmation request message

(P) or a confirmation message (F) (Poll/Final), and

N(R) is the number of the reception sequence (Receive sequence number).

FIG. 5c shows the structure of the control part of the data frame ofFIG. 5a when the data frame is a system supervisory data frame(Supervisory). The significance of bits has been described above.

FIG. 5d shows the structure of the control part of the data frame ofFIG. 5a when the data frame is an unnumbered data frame (Unnumbered)wherein:

M 1-5 are unnumbered commands and responses,

G/D indicates whether it is a question of a control or a data frame(Control/Data), and

x-bits are not significant.

FIG. 6a shows an example of a data frame structure with a Point-to-Pointconnection of an adapting layer according to a preferable embodiment.The first byte contains control data in which:

M indicates whether it is a question of the last segment of theinformation formed by the application,

E indicates whether the ciphering is in use,

Pri indicates the priority classification,

NLSI is protocol data which can be, for example,

TCP/IP,

CLNP,

X0.25,

GPRS, etc.

FIG. 6b shows an example of a data frame structure with a multipointconnection of an adapting layer according to a preferable embodiment.The significance of bits has been described above.

Although the invention has been described above in a data transfersystem where mobile stations MS, base station subsystems BSS and packetswitching controllers SGSN of a GPRS system are used, the invention canbe applied also in other data transfer systems, such as TDMA and CDMAdata transfer systems, most preferably in packet switching data transfersystems.

The invention has not been limited only to the above presentedembodiments, but it can be modified within the scope of the attachedclaims.

What is claimed is:
 1. A method for the encryption of informationtransferred between data transfer devices in a data communication systemwherein plural data frames are created from one or more data packetsformed from the information by a communication application, andindividual ones of these data frames comprise at least a header fieldand a data field, wherein the method comprises steps of:ciphering atleast one part of the data packets by using a ciphering key; attachingsynchronization data to the data frames, wherein the synchronizationdata includes a sequence number of each of said data frames; andchanging the value of the ciphering key at least at the transmission ofeach of said data frames.
 2. A method according to claim 1 wherein adata transfer connection is formed between two or more data transferdevices connected to the data communication system, wherein a separateciphering key is allocated to each connection, in which case in a commondata transfer channel, data frames of at least two separate connectionsare transferable in ciphered mode independent of each other.
 3. A methodaccording to claim 1 wherein a group of said data frames is divided intosub-blocks, wherein synchronization data comprises a block counter whichis allocated separately to each connection and to which an initial valueis set at a start of a connection and a value of which is changed at atransmission of each of said sub-blocks.
 4. A method according to claim1 wherein data frames are formed at an adapting layer.
 5. A methodaccording to claim 4, wherein data frames of the adapting layer aretransferred to a tile link layer wherein data frames of the tile linklayer are formed from data frames of the adapting layer for transmissionto a transmission path.
 6. A method according to claim 5, whereinsynchronization data comprises at least one of the following:data framenumber of the tile link layer, data frame number of the adapting layer,identity of a routing area, identity of an area of a packet switchingcontroller, and identity of a cell.
 7. A method according to claim 6,wherein a data frame number is formed and maintained locally in datatransfer devices linked to a data transfer connection in which case thesequence number is set to its initial value at a start of the datatransfer connection and is updated in a previously defined manner duringthe connection.
 8. A method according to claim 7, wherein the datatransfer connection is a data transfer connection of a packet switchingsystem.
 9. A method according to claim 7, wherein the data transferconnection is a Point-to-Point connection.
 10. A method according toclaim 7, wherein the data transfer connection is a multipointconnection.
 11. A method according to claim 10, wherein there are aplurality of data transfer connections including said data transferconnection, and information is transferred between a file data transferdevice of a data service provider and data transfer devices of dataservice users, wherein a ciphering key (allocated separately to each ofsaid data connections is set to respective ones of the data transferdevices by transferring the ciphering key in a ciphered mode in the datacommunication system, by using a keypad of a data transfer device.
 12. Amethod according to claim 11, whereinonly data transmitted from the datatransfer device of a data service provider to data transfer devices ofdata service users is ciphered at least partly, only data transmittedfrom data transfer devices of data service users to the data transferdevice of data service provider is ciphered at least partly, or datatransmitted in both directions is ciphered at least partly.
 13. A methodaccording to claim 12, wherein at a start of ciphering, data, concerninga direction in which data transfer is ciphered, is transmitted to datatransfer devices.
 14. A method according to claim 10 wherein there are aplurality of data transfer connections including said data transferconnection, and information is transferred between a file data transferdevice of a data service provider and data transfer devices of dataservice users, wherein a ciphering key allocated separately to each ofsaid data connections is set to respective ones of the data transferdevices by transferring the ciphering key in a ciphered mode in the datacommunication system, by using a smart card.
 15. A method according toclaim 6, wherein a data frame number of the link layer is maintained inone data transfer device of a data transfer connection and is deliveredto other data transfer devices in a data frame of the link layer.
 16. Amethod according to claim 1, wherein only some part of the data framesof an adapting layer is ciphered, in which case data of a ciphering ofeach of said data frames is transmitted in the header field of therespective data frame.
 17. A data communication system which comprisesmeans for encryption of information transferred between data transferdevices, means for forming one or more data packets of the informationand means for forming data frames of the data packets, the means forencryption of information comprise at least:means for ciphering datapackets by a ciphering key, means for changing a value of the cipheringkey for each of a plurality of transmission blocks; means for attachingsynchronization data to data frames, means for changing the value of thesynchronization data (COUNT) at the transmission of each data frame,wherein the synchronization data includes sequence numbers of respectiveones of the data frames, and means for interpreting synchronization datain the data transfer device of the receiver.
 18. A data communicationsystem according to claim 17, characterized in that the data transferdevices comprise at least one mobile station.
 19. A data communicationsystem according to claim 18, characterized in that the mobile stationis a GSM mobile station.
 20. A data communication system according toclaim 17, characterized in that the data transfer devices comprise atleast one base station.
 21. A data communication system according toclaim 20, characterized in that the base station is a GSM base station.